WEOMEASS | © Qualys 


Managing Compliance in 
Rapidly Changing 


Regulatory Environment 


Secure. Comply. Save. 


@ COMPASS 


IT Compliance 


Agenda 


Introduction 
Objectives 
Threats 
Requirements 
Tools 
Summary 


Questions 


Secure. Comply. Save. 


@ COMPASS 


Introduction IT Compliance 


Organizations face complex compliance challenges in 
today s business environment. These organizations 
are audited/assessed to various laws such as HIPAA, 
state privacy laws, GDPR, standards like PCI-DSS, 


and frameworks like ISO, NIST, and COBIT, to name a 
few. 
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Objective 


| will take you through the changing Threat, Legal, and 
Compliance landscape and how utilizing tools like the 
Qualys Cloud Platform to perform internal and external 
vulnerability assessments, and SSL Labs to test a 
browser's SSL implementation and a server's 
configuration, can help you meet these changing 
requirements. 


You will get valuable, actionable takeaways that they can 
be implemented in your organization to help you meet 
these requirements and mitigate their overall risk in the 
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Threats IT Compliance 


Many security organizations track these threats and trends like Krebs 
on Security, US-Cert, and SANS.org 


According to antivirus company Kaspersky Lab, “The number of new 
malicious files processed by Kaspersky Lab's in-lab detection 


technologies reached 360,000 a day in 2017.” Thats 


There are many more cybersecurity threats and network vulnerabilities 
in existence that malicious actors can exploit to steal your company’s 
data or cause harm. 


Getting ahead of these threats is critical 
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Threats/Trends 


— Ransomware, Trojans, and Worms... 

- While there are countless new 
threats being developed daily, many of them rely on old security 
vulnerabilities to work 

- Phishing, Pretexting, Baiting/Quid Pro Quo... 
— Internet of things includes smart devices such as Wi-Fi 
capable appliances, robots, etc. that many business don t even realize 
are on their network 


i — The biggest security vulnerability in any organization is 
its own employees 
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Requirements 


Laws 
Regulations 
Frameworks 
Guidelines 


Best Practices 
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FFIEC 


The Federal Financial Institutions Examination Council is a formal U.S. government interagency body 
composed of five banking regulators that is "empowered to prescribe uniform principles, standards, and 
report forms to promote uniformity in the supervision of financial institutions" 


Information Security Examination Handbook - II.C.4 Control 
Implementation 


Management should implement controls that align security with the 
nature of the institution's operations and strategic direction. Based on 
the institution s risk assessment, the controls should include, but may 
not be limited to, patch management, asset and configuration 
management, , end-point 
security, resilience controls, logging and monitoring, and secure 
software development (including third-party software development). 
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HIPAA - y% ee bes - 


Health Insurance Portability and Accountability Act of 1996 


Security Security 164.308(a)(1)(i)(A) Conduct an 

Management accurate and thorough 

Process assessment of the potential risks 
and vulnerabilities to the 
confidentiality, integrity, and 
availability of electronic protected 
health information (ePHI) held by 
the covered entity. 
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GDPR 


The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and 
privacy for all individuals within the European Union and the European Economic Area. 


The regulation applies if an organization collects or processes 
data from EU residents, or the data subject (person) is based 
in the EU. Under certain circumstances, the regulation also 
applies to organizations based outside the EU if they collect 
or process personal data of individuals located inside the EU. 


The regulation does not apply to the processing of data by a 
person for a "purely personal or household activity and thus 
with no connection to a professional or commercial activity." 
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GDPR 


Responsibility and accountability 


To be able to demonstrate compliance with the GDPR, the data 
controller must implement measures which meet the principles of data 
protection by design and by default. This includes 


Data protection by design and by default (Article 25) require data 
protection measures to be designed into the development of business 
processes for products and services. 


It is the responsibility and the liability of the data controller to implement 
effective measures and be able to demonstrate the compliance of 
processing activities even if the processing is carried out by a data 
processor on behalf of the controller. 
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PCI DSS 3.2.1 


Web Application Scanning 


6.6 For public-facing web applications, ensure that either one 
of the following methods is in place as follows: + Examine 
documented processes, interview personnel, and examine 


records of application security assessments to verify that 
public-facing web applications are reviewed—using either 
manual or automated tools 
or methods—as follows: - At least annually. - After any 
changes. 
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PCI DSS 3.2.1 


Section 11 — 


11.2.x Run internal and external network vulnerability scans at least quarterly 
(performed by an Approved Scanning Vendor (ASV)) and after any significant 
change in the network (such as new system component installations, changes 
in network topology, firewall rule modifications, product upgrades). 


11.3.1 Perform external penetration testing at least annually and after any 
significant infrastructure or application upgrade or modification (such as an 
operating system upgrade, a sub-network added to the environment, or a web 
server added to the environment). 


11.3.2 Perform internal penetration testing at least annually and after any 
significant infrastructure or application upgrade or modification (such as an 
operating system upgrade, a sub-network added to the environment, or a web 
server added to the environment). 
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SANS Top 20 


K | COMPASS 


IT Compliance 


Center for Internet Security (CIS) and other organizations, developed the 20 Critical Security Controls 
(CSC) for Effective Cyber Defense 


Cac I: 


CSC 2: 
Cac a: 


Laptops, Workstations, and Servers 


CSC 4: Continuous Vulnerability Assessment and Remediation 
CSC 5: Controlled Use of Administrative Privileges 
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs 
CSC 7: Email and Web Browser Protections 
CSC 8: Malware Defenses 
CSC 9: Limitation and Control of Network Ports, Protocols, and Services 
CSC 10: Data Recovery Capability 
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, 
and Switches 
CSC 12: Boundary Defense 
CSC 13: Data Protection 
CSC 14: Controlled Access Based on the Need to Know 
à CSC 15: Wireless Access Control 
@ CSC 16: Account Monitoring and Control 
ma CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps 
| CSC 18: Application Software Security 
CSC 19: Incident Response and Management 
CSC 20: Penetration Tests and Red Team Exercises 


Inventory of Authorized and Unauthorized Devices 
Inventory of Authorized and Unauthorized Software 
Secure Configurations for Hardware and Software on Mobile Devices, 
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Tools 


External Vulnerability Assessments: We leverage Qualys’ portal (QualysGuard) 
for scanning external IPs. Essentially this is a cloud product. We define the 
assets that we want tested, but we actually don't have insight on what scanner 
is actually being used. 


Internal Vulnerability Assessments: we have a few options now. All varieties 
an the same capabilities (personal/vm are cheaper than the traditional U1 
box 


* Internal Hardware scanner. This is a U1 hardware device that can be 
installed on your stack that connects to Qualys online. 


* Internal personal edition: this is a lightweight hardware device roughly 5 in. 
x 5 in. in size. 


* VM - a Qualys virtual machine that can be installed on virtual box/ 
hypervisor/VMWare 
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Tools (cont.) 


This scanner (both internal/external) is used for discovery of 
vulnerabilities in both regular vulnerability assessments and also 
penetration testing. These scanners create the blueprint for our analyst 
to start their testing on. 


Qualys also has the capability to run web application scanning and we 
leverage this along with other types of products to perform this task. 


Qualys leverages selenium scripting technology to easily login into web 
applications and allow the scanner to spider each page for threats. 
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| 
Labs Mr Compliance 


This free online service performs a deep analysis of 
the configuration of any SSL web server on the public 
Internet. 


Please note that the information you submit here 
is used only to provide you the service. We don't 
use the domain names or the test results, and we 
never will. 
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Home Projects Qualys.com Contac 
@ Qualys. SSL Labs ject y tact 


You are here: Home > Projects > SSL Server Test > www. 


SSL Report: www. 


Assessed on: Wed, 31 Oct 2018 02:31:00 UTC | Hide | Clear cache Scan Another » 


Summary 


Overall Rating 


Certificate 


Protocol Support 


Key Exchange 


Cipher Strength 


Qualys — SSL Labs (cont.) AY. Hitt be 


Configuration 


TLS 1.3 
TLS 1.2 
TLS 1.1 
TLS 1.0 
SSL 3 
SSL 2 
For TLS 1.3 tests, we only support RFC 8446. 


Secure. Comply. Save. 


@ COMPASS 


IT Compliance 


Summary 


There is an everchanging threat landscape 

Businesses are not static 

Threats are exploited & in response laws come out to protect consumers 
Staff Education 

Run quarterly internal and external vulnerability assessments 

Perform Annual External Penetration Tests (and after critical changes) 
Perform Semi-Annual Internal Penetration Tests (and after critical changes) 
Ongoing Vulnerability Management 

Don't just be compliant - be secure 
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